Personally, I'm a huge fan of this change, because it creates a strong incentive for vendors to patch sooner rather than later. And when you're trying to improve an ecosystem, incentive structure is a make or break decision.https://twitter.com/itswillis/status/1214595438113886209 …
-
-
Replying to @justinschuh
Here's the problem with that, what economic incentives exist to fix vulnerabilities if you have no reason to believe your customers know about it? Customers are not going to request a fix, or make any purchase decisions based on data they don't have, so why bother?
1 reply 0 retweets 1 like -
Replying to @taviso
Unless you're arguing that companies are going to stop providing severity information and credits in their release notes, I don't see your argument. And either way, the time-to-patch data will always be available and provides exactly that insight.
1 reply 0 retweets 1 like -
Replying to @justinschuh
I'm asking why should I patch a bug that my customers don't know about? What's the incentive?
3 replies 0 retweets 1 like -
Replying to @taviso @justinschuh
Future business: they might not know about this one now, but if they learn about it later (particularly by being directly harmed by it), then they won't be a repeat customer.
1 reply 0 retweets 0 likes
That's a very big picture hand wavy reason though right? Patching is expensive, disruptive and unpopular, and vendors aren't usually blamed for exploits (e.g. eternalblue). That's some expensive good will, no?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.